auth

Authenticate against the control plane and print the resulting access, session, and refresh tokens to stdout.

Syntax

delta-forge-cli auth

Description

## Overview `auth` performs the same login flow the REPL uses at startup, then prints the resulting tokens as `key=value` lines on stdout. It is the export surface for downstream HTTP tools and for scripts that want to hold the access or session token in a variable. ## Behavior - Issues a `POST /login` against the control plane with the current username and password. - On success, prints to stdout in this order: `session_token=...` (when present), `access_token=...`, and `refresh_token=...` (when present). Diagnostic metadata is printed to stderr: `subject_id`, principal `type`, `expires_in` seconds, and `session_expires_at` when returned. - Exit code is 0 on success, 1 on any authentication failure. Network errors, wrong credentials, and disabled accounts all return 1. - Credential resolution follows the standard order: `--username` / `--password` flags > `DF_USERNAME` / `DF_PASSWORD` > profile values > built-in defaults. When stdin is a TTY and no explicit credentials were supplied, the inline stdin prompt collects them. - No SQL executes as part of `auth`. The command is safe to run against any control plane that accepts the login endpoint. ## Compatibility - The printed schema is `key=value` one-per-line, which is stable across releases. New keys may be added in the future; parsers should treat unknown keys as informational. - Tokens printed by `auth` are not automatically picked up by subsequent `delta-forge-cli` invocations. Each new invocation re-authenticates from scratch because there is no on-disk token cache. If you need a long-lived session for multiple invocations, export the session token and pass it to raw HTTP tools or to endpoints that honour an explicit bearer token.

Examples

# Default: use profile / env credentials, prompt if missing on a TTY
delta-forge-cli auth

# Explicit credentials (non-interactive)
delta-forge-cli --username svc@deltaforge.local --password ... auth

# Extract just the session token
session=$(delta-forge-cli auth | grep ^session_token= | cut -d= -f2)

# Export every key=value line as a DF_-prefixed env var
eval $(delta-forge-cli auth | sed 's/^/export DF_/')

# Use tokens with a raw HTTP tool
access=$(delta-forge-cli auth | grep ^access_token= | cut -d= -f2)
curl -H "Authorization: Bearer $access" https://control.example.com/v1/workspaces

Pitfalls

• Tokens are printed to stdout in plain text. Running `auth` on a shared terminal or through a pipe that logs stdout exposes long-lived credentials; redirect to a file with restrictive permissions or use `grep | cut` to extract only the fields you need.
• `auth` does not persist tokens anywhere. A second `delta-forge-cli query ...` invocation performs a fresh login; there is no implicit reuse of tokens emitted by a prior `auth` call.
• The built-in default password is `admin123`, intended for local development only. When neither `--password`, `DF_PASSWORD`, nor a TTY prompt supplies a value, `auth` sends that default to whatever control plane is configured.

See Also

• CLI_AUTH_FLOW
• CLI_FLAG_USERNAME
• CLI_FLAG_PASSWORD
• CLI_AUTOMATION_TOKEN_EXPORT